From a343a60a6886162c3556e5cff5a12d6218804a58 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Tue, 20 Nov 2018 09:42:01 +0100
Subject: [PATCH] Handle permission in update of share better

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 apps/files_sharing/lib/Controller/ShareAPIController.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php
index e33f93e8ce6..2bd535e319f 100644
--- a/apps/files_sharing/lib/Controller/ShareAPIController.php
+++ b/apps/files_sharing/lib/Controller/ShareAPIController.php
@@ -808,6 +808,10 @@ class ShareAPIController extends OCSController {
 			throw new OCSNotFoundException($this->l->t('Wrong share ID, share doesn\'t exist'));
 		}
 
+		if ($share->getShareOwner() !== $this->currentUser && $share->getSharedBy() !== $this->currentUser) {
+			throw new OCSForbiddenException('You are not allowed to edit incomming shares');
+		}
+
 		if ($permissions === null &&
 			$password === null &&
 			$sendPasswordByTalk === null &&
-- 
GitLab